Patched CVE-2023-26253 in glusterfs. (CP: #9717) (#9719)

PawelWMS · web-flow · commit cd7cf078f154 · 2024-07-10T10:55:16.000-07:00
diff --git a/SPECS/glusterfs/CVE-2023-26253.patch b/SPECS/glusterfs/CVE-2023-26253.patch
@@ -0,0 +1,42 @@
+diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
+index e2c963aac38..d6633875fb3 100644
+--- a/xlators/mount/fuse/src/fuse-bridge.c
++++ b/xlators/mount/fuse/src/fuse-bridge.c
+@@ -6486,6 +6486,7 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+     int32_t ret = 0;
+     fuse_private_t *private = NULL;
+     gf_boolean_t start_thread = _gf_false;
++    gf_boolean_t event_graph = _gf_true;
+     glusterfs_graph_t *graph = NULL;
+     struct pollfd pfd = {0};
+ 
+@@ -6493,9 +6494,6 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+ 
+     graph = data;
+ 
+-    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
+-           ((graph) ? graph->id : 0));
+-
+     switch (event) {
+         case GF_EVENT_GRAPH_NEW:
+             break;
+@@ -6581,9 +6579,19 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+         }
+ 
+         default:
++            /* Set the event_graph to false so that event
++               debug msg would not try to access invalid graph->id
++               while data object is not matched to graph object
++               for ex in case of upcall event data object represents
++               gf_upcall object
++            */
++            event_graph = _gf_false;
+             break;
+     }
+ 
++    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
++           ((graph && event_graph) ? graph->id : -1));
++
+     return ret;
+ }
+ 
diff --git a/SPECS/glusterfs/glusterfs.spec b/SPECS/glusterfs/glusterfs.spec
@@ -110,7 +110,7 @@
 Summary:        Distributed File System
 Name:           glusterfs
 Version:        7.9
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2 OR LGPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -121,6 +121,7 @@ Source2:        glusterfsd.sysconfig
 Source7:        glusterfsd.service
 Source8:        glusterfsd.init
 Patch0001:      0001-rpc-rpc-lib-src-Makefile.am.patch
+Patch0002:      CVE-2023-26253.patch
 
 BuildRequires:  bison
 BuildRequires:  flex
@@ -554,8 +555,7 @@ functionality, and also few other scripts required for setup.
 This package provides the glusterfs thin-arbiter translator.
 
 %prep
-%setup -q -n %{name}-%{version}%{?dev}
-%patch0001 -p1
+%autosetup -n %{name}-%{version}%{?dev} -p1
 
 %build
 
@@ -1226,6 +1226,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 08 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 7.9-6
+- Patching CVE-2023-26253.
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 7.9-5
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
